Sealing a Management Pack

Updated: May 17, 2011

Management packs are sealed by using the MPSeal tool that is located in the SupportTools folder of the Operations Manager 2007 R2 distribution media. This is a command line tool that creates a sealed MP file from an unsealed XML file. After performing the sealing process, you can install the sealed management pack into your management group.

Note

If you created the management pack in the Operations console, then you must export it to an XML file prior to performing the sealing process. You must then uninstall the management pack before installing the sealed version.

Management Pack References

In addition to sealing the management pack, MPSeal verifies the management pack and will report any errors that would keep it from installing. All of these errors must be corrected before the sealing will complete successfully. This is the same verification performed by the MPVerify tool. In order to perform this function, MPSeal requires access to any management packs referenced by the management pack being sealed. These must be the sealed versions of the files with an MP extension and must be at least the version specified by the management pack being sealed.

You specify a directory to search MP files with the /I command line option. You can use multiple /I options if the required files are in multiple directories. You can obtain the standard library management pack files included with Operations Manager 2007 R2 from the installation directory on the management server. You must obtain other management pack files separately. If you imported a management pack directly into your management group from the management pack catalog, then you will need to download it separately in order to obtain the MP file.

Note

If you are unsure of the management packs referenced by the management pack you are sealing, you can run MPSeal using any directory. A list of the required management packs will be returned.

Key File

Sealing requires a key file that contains a private and public key. This validates the identity of the signing party and ensures that a malicious user cannot provide a sealed management pack impersonating someone else. This is the same key pair used for signing .NET assemblies and can be created with the Strong Name Tool (sn.exe) included with the Microsoft Windows SDK.

Important

You should take care to protect any key file that is used to seal a management pack. If someone else were to obtain this key file, then they could seal a management pack impersonating the original author.

Delayed Signing

For added security of their private key, organizations will implement a delayed process for signing assemblies. This allows access to the private key to be limited to only a few individuals. Using this process, you sign the assembly with only the public key and then complete the signing with the private key just prior to shipping.

If your organization has an existing process for performing delayed signing of assemblies then you should use this process to seal your management pack for production. You can perform the initial partial sealing of the management pack using the /DelaySign option.